0

i think i have a problem with my crypt(); php function. No errors show up in my error log.

Im having difficulties when it comes to authenticating a login page.

   if( $page_mode == 'Login' )
{
require "globe.php";
    //simple post from below
    $username = htmlentities(trim($_POST['username']));
    $username = mysqli_real_escape_string($mysqli, $username);
    $password = trim($_POST['password']);
    $query = mysqli_query($mysqli, "SELECT * FROM Persons WHERE Username = '$username'");
    $row = mysqli_fetch_assoc($query);
    $numrows = mysqli_num_rows($query);
    $dbuser = $row['Username'];
    $dbpass = $row['Password'];
    $hashed_password = crypt($password, $dbpass);




    if( ($username == '') || ($password == '') ) {
        $error_string .= '<font color=red>You have left either the username or password field blank!</font>';
        }
    else if ($numrows == 0)
    {
        $error_string .= '<font color=red>No username can be found!</font>';
        }
    else if ($numrows == 1)
    {

       if ($password == $hashed_password)
       {
       $error_string .= '<font color=red>Details checked out</font>';
       }
    }
    else {
            $error_string .= '<font color=red>There was an error. Please contact an Admin</font>';

    }
}

None of the error stings display when I test it when i put in a username and password.

Would be grateful if anyone can resolve this

Should mention the error only started coming with the check of dbpass with usepass

lecardo
  • 1,208
  • 4
  • 15
  • 37

1 Answers1

1

You have

$password = trim($_POST['password']);
$dbpass = $row['Password'];
$hashed_password = crypt($password, $dbpass);

if ($password == $hashed_password)

This compares the clear password from the login form to the hashed password. But you must compare the hashed password against the hashed password stored in the database. So, this should be

if ($hashed_password == $dbpass)

because in the database, only the hashed password is stored.

For debugging purposes, you should echo $hashed_password and $dbpass to see what and how this is wrong. Crypt states also, that crypt might fail if given an unsuitable salt. The returned string will then be less than 13 characters long.

Olaf Dietsche
  • 72,253
  • 8
  • 102
  • 198
  • so how does that check against the user password that was inputted. I tried that line you showed but had no luck. Thanks for posting though – lecardo Nov 25 '12 at 22:51
  • @Bobski I have updated my answer to clarify the idea behind my proposed change. – Olaf Dietsche Nov 25 '12 at 23:03
  • thanks for the response. I carried out some debugging and came across this. db pass $1$MUMIxjyq$XBvB1QAvXmayWvVmRqTbC0 pass ******** hshpas $1$MUMIxjyq$RoZKifwj6UmCrHhnFFM0u0 Seems that the salt works fine at the start but breaks down? – lecardo Nov 25 '12 at 23:15
  • @Bobski If your clear password is really "\*\*\*\*\*\*\*\*", it's not surprising that it differs from the stored one. Now you must find out, where the password is changed to "\*\*\*\*\*\*\*\*". – Olaf Dietsche Nov 25 '12 at 23:36
  • clear password isn't that, its worldofwars, even if it was that and it was correct to what the database has, it should still display the same output in hash. this is whats puzzling me -.- – lecardo Nov 25 '12 at 23:37
  • @Bobski That's strange, when I crypt your password with this salt, I get an entirely different third hash. Did you create all the hashes on the same or different machines? I'm out of ideas. Anyway, whatever it is, I learned a lot on the way :-) – Olaf Dietsche Nov 25 '12 at 23:52
  • same machine same host same eveything. I have a strange feelings its something right in front of me. Database password hash gives a longer password then the encrypted one on the login page. Both at the start for first 8-10 characters have same letters then it changes after – lecardo Nov 26 '12 at 22:27
  • @Bobski This is as it should be. These common characters are the salt. The hashed passwords, you have shown above, have the same length. So nothing wrong here either. – Olaf Dietsche Nov 26 '12 at 22:33